You are here

Oyster, Octopus and Metro cards: what happens to our data?

Today, travelling within many cities around the world comes at a cost: privacy.

Electronic ticketing systems are proliferating, but it’s not clear how much information they collect or what they do with it. Privacy International has written to 48 transport authorities and companies operating transport services across the world requesting this data.

The kinds of personal information held about users of London’s Oyster card (which is used to travel by tube, train and bus) include full name, address, telephone number, email address and password, as well as the encrypted bank details of customers who purchase Oyster products using a debit or credit card. The Oyster ticketing system also records the location, date and time whenever an Oyster card is used to validate a journey. Transport for London (TfL) are currently making changes that will see Oyster retain customers’ names and contact details for two years after a customer last uses their card or buys an Oyster product. Details of debit or credit cards used to buy Oyster products are retained for a maximum of 18 months.

TfL reserve the right to share Oyster information with their subsidiaries and service providers and with the UK train operators that accept Oyster cards. The Data Protection Act 1998 allows TfL to disclose personal data in response to requests from the police and other law enforcement bodies. A request under the DPA must be supported by evidence of the relevant legislation or a court order.

The Clipper Card stores information about travellers’ journeys (including the date and time, the start point and the fare) for at least 60 days and it has been reported that the database is retained for seven years. No information is readily available about periods of data retention for New York’s Metro Card, but since EasyPayXpress customers have 120 days to query a fare one can infer that the information must be stored for at least this long. The New York Times reported in 2009 that it had become standard practice for police in New York to seize Metro Cards on arrest and access the records.

Despite the fact that public transport smart cards have been in use for over a decade, there is still a serious lack of legal clarity around the use and retention of data collected by the systems. Most countries’ laws authorise warrants in cases of ‘national security’, but this term is so vague and ill-defined that its use does little to mitigate the potential for abuse. There is little law to stand in the way of databases containing vast swathes of personal information - including your travel history for the past several weeks - being retained and shared with third parties. Further statutory provisions to protect citizens from potential privacy breaches are urgently required, as well as guarantees that unauthorised access to such data will be prevented.

Last month, Privacy International wrote to 48 transport authorities and companies operating transport services across the world requesting the following information:

What information is collected about how the travel card is used? For example, start point of journey, end point of journey, time and date of journey or fare paid.

Is the travel card used for anything other than transport? For example, to pay for small purchases, and if so, what information is collected about this type of usage.

How long is the data retention period? Is this data aggregated at any point?

Under what circumstances is information on individuals shared with law enforcement officers? For example, is a judicial or ministerial warrant or a subpoena required?

Responses are now trickling in and Privacy International will share the results once we have collated them. There is currently not enough data in the public domain to adequately understand the extent to which citizens’ travel and personal data is being used and retained. However, there are strong indicators that travelling by public transport in many parts of the world is no longer solely a financial exchange, but also a trade-off of civil liberties.